Much credit and thanks to arobertson545 for telling this forum about dsldiagd, the Broadcom diagnostic tool.
A basic DSL diagnostic client has been built in C for the host PC. It can interrogate the DSL diagnostic daemon running on the Broadcom target. The diagnostic tool uses a diagnostic network interface. That uses the UDP protocol on port 5100. The diagnostic data from the target is encoded in the UDP datagrams sent by the Broadcom daemon to the PC client.
But first of all, the daemon has to be woken up with some magic datagrams. Time synchronisation is also involved. Once initialised, the diagnostic daemon starts to report in a round-robin fashion perhaps fifty different types of line diagnostic data, each with its own 4-, 8- or 12- byte header in the datagram. Just half a dozen of these headers are understood to date.
Some types of diagnostic data, the line error counters for example, are readily identifiable (see below). But the most interesting data isn't yet decoded. Does anyone fancy working on this? It's a reverse engineering exercise. The source code is pretty crude at the moment. To be compatible with BillyGatesWare, tjat limits its design.
It looks like it's possible to get live QLN data using the tool. That is presumably achieved by disabling during showtime the bit-loading on a tone. That allows the background noise on the subcarrier to be measured. It would be great to reverse-engineer that specific functionality. At the moment though, the tool cannot get anything much that the xdslcmd doesn't already provide via the telnet interface. So nothing to get very excited about!
cheers, a
$ ./asbobcmdiagclient
Resetting dsldiagd on 192.168.1.1:5100
sent(0004) = ( 2a 4c 00 fc )
Waking up dsldiagd on 192.168.1.1:5100
sent(0004) = ( 2a 4c 80 ff )
sent(0004) = ( 2a 4c 80 ff )
recv(0004) = ( 2a 4c 41 ff )
Connected to server
sent(0020) = ( 2a 4c 00 ef 00 23 00 00 00 00 01 f4 00 00 00 00 00 00 00 00 )
sent(0004) = ( 2a 4c 00 fa )
sent(0020) = ( 2a 4c 00 ef 00 01 00 00 ff fe 00 00 00 00 00 04 00 00 00 00 )
recv(0061) = ( 2a 4c 01 f3 bd 9c 92 be 9b 8c 93 bc 90 8d 9a bb 96 9e 98 bc 92 9b c5 df 8f bb 9a 89 c2 cf 87 c7 .. )
recv(0083) = ( 2a 4c 01 f3 be bb ac b3 df 89 9a 8d 8c 96 90 91 df 96 91 99 90 c5 df af b7 a6 c2 be cd 8f 89 c9 .. )
recv(0060) = ( 2a 4c 01 30 00 00 01 06 00 00 01 70 01 00 00 2c a1 e0 00 00 a1 f0 00 00 00 0d f9 10 10 10 00 00 .. )
recv(0196) = ( 2a 4c 01 30 00 00 01 06 00 00 01 6f 01 00 00 b4 00 01 00 b4 63 68 00 b2 10 60 81 00 00 00 00 00 .. )
Version Info: - 0x636800B2 0x000100B4
recv(0052) = ( 2a 4c 01 f3 d5 d5 d5 df bb 8d 89 c5 df ac 9a 91 9b 96 91 98 df 9e 99 9a b6 9b d7 cf 87 ce cf c9 .. )
recv(0038) = ( 2a 4c 01 f3 bb 96 9e 98 df b7 9b 8d df be 9b 9b 8d c5 df c7 cf c7 cb ca c7 c7 cd d3 df ac 96 85 .. )
recv(0048) = ( 2a 4c 01 f3 bc 99 98 c2 cf 87 cf df 9a 86 9a ce c2 c9 cc df 9a 86 9a cd c2 c9 cb df 92 9e 87 b3 .. )
recv(0028) = ( 2a 4c 01 30 00 00 01 06 00 00 01 64 01 00 00 0c 00 bf 01 8a 00 00 00 00 00 00 00 00 )
recv(0012) = ( 2a 4c 01 30 00 00 00 2d 00 00 01 10 )
recv(0024) = ( 2a 4c 01 30 00 00 01 0c 00 00 00 5e 00 00 00 04 80 ba 14 8e 01 00 05 01 )
recv(0033) = ( 2a 4c 01 f3 ac 9a 91 9b 96 91 98 df bb 8c 93 bb 96 9e 98 8c df b7 9b 8d df 8b 90 df af b7 a6 f5 .. )
recv(0036) = ( 2a 4c 01 f3 b7 9b 8d df be 9b 9b 8d c2 cf 87 c7 cf c7 cb ca c7 c7 cd d3 df b7 9b 8d ac 96 85 9a .. )
recv(0036) = ( 2a 4c 01 f3 8c 8d 89 b2 be bc be 9b 9b 8d df c2 df ce cb c5 b9 ba c5 bd ca c5 be cd c5 cb cd c5 .. )
recv(0012) = ( 2a 4c 01 30 00 00 00 2d 00 00 01 36 )
recv(0020) = ( 2a 4c 01 30 00 00 01 06 00 00 00 65 02 24 00 80 10 1a 8d 0c )
recv(0020) = ( 2a 4c 01 30 00 00 01 06 00 00 00 67 00 25 00 80 10 1a 8d 0c )
recv(0020) = ( 2a 4c 01 30 00 00 01 06 00 00 00 65 02 25 00 80 10 1a 8d 8c )
recv(0020) = ( 2a 4c 01 30 00 00 01 06 00 00 00 67 00 26 00 80 10 1a 8c 8c )
recv(0024) = ( 2a 4c 01 30 00 00 01 06 00 00 00 66 01 36 00 07 01 00 05 01 54 8f 7e 89 )
recv(0024) = ( 2a 4c 01 30 00 00 01 0c 00 00 00 5d 00 00 00 04 c0 10 5d 20 01 00 05 01 )
recv(0068) = ( 2a 4c 01 30 00 00 01 0c 00 00 00 5e 00 00 00 30 80 23 36 a8 01 02 05 81 00 28 ef 7b 00 00 da 69 .. )
recv(0032) = ( 2a 4c 01 30 00 00 01 06 00 00 01 65 01 00 00 10 00 00 00 00 0e f6 ee 95 0e f5 09 c2 00 91 08 3a )
...
recv(0016) = ( 2a 4c 01 30 00 00 01 02 00 00 00 43 00 00 00 00 )
recv(0084) = ( 2a 4c 01 30 00 00 01 03 00 00 00 05 00 00 00 09 20 6e 04 15 20 27 1f 77 00 28 ef 7b 00 1d f5 23 .. )
RSWords GoodRS CorRS unCorRS SF SFErr rcvCRC rcvFEC rcvHEC rcvOCD rcvLCD HEC OCD LCD
544080917 539434871 2682747 1963299 3818113 55913 130 0 75 0 0 1714214 0 0
recv(0016) = ( 2a 4c 01 30 00 00 01 01 00 00 00 08 19 05 34 88 )
recv(0025) = ( 2a 4c 01 30 00 00 01 0c 00 00 00 5e 00 00 00 05 80 bd 5c 30 02 01 81 01 04 )
recv(0020) = ( 2a 4c 01 30 00 00 01 06 00 00 00 67 00 29 00 09 10 1a 8d 0c )
UNKNOWN CMD PARAM! (0067)
...